We need to generalize peer verification. Right now the peer verification callback (org.wildfly.security.auth.callback.VerifyPeerTrustedCallback) is specific to X.509 certificate chains, but other mechanisms might use different peer credentials for the verification.

An ideal API might use an optional Principal and an optional Credential. For Entity, a org.wildfly.security.credential.X509CertificateChainPublicCredential might be used for the Credential, and the Principal would be extracted from that. For key-based authentication, the principal could be the NamePrincipal of the host name and the credential would be a PublicKeyCredential.